Transactions Reference

SigNoz Cloud - This page applies to SigNoz Cloud editions.
Self-Hosted Enterprise - This page applies to self-hosted SigNoz with an active license.

Fine-grained access control is currently in beta.

Overview

This page lists the transactions available for each resource in SigNoz. Each table shows the supported relations, what they mean for that resource, and which managed roles have access.

A transaction is a single relation on a resource, optionally scoped to specific instances with a selector. When you configure a custom role, the transactions you grant are shown together as the role's Transaction Groups.

For an explanation of relations and how access control works, see the Authorization Overview.

This page currently covers IAM resources (roles, service accounts, API keys). Transactions for observability resources such as dashboards, alerts, and pipelines will be documented as they become available for fine-grained access control.

Role

Resource: role | Kind: role | Selector: role name (for example, my-custom-role)

RelationDescriptionManaged Role Access
createCreate a new custom role.signoz-admin
listList all roles (managed and custom).signoz-admin
readView a role's details and its configured transactions.signoz-admin
updateModify a custom role's description or change its transactions.signoz-admin
deleteDelete a custom role (the role must have no assigned principals).signoz-admin
attachCreate a relationship with the role — assign this role to a principal.signoz-admin
detachRemove a relationship from the role — unassign this role from a principal.signoz-admin

Service Account

Resource: serviceaccount | Kind: serviceaccount | Selector: service account ID

RelationDescriptionManaged Role Access
createCreate a new service account.signoz-admin
listList all service accounts in the organization.signoz-admin
readView a service account's details and its assigned roles.signoz-admin
updateModify a service account (for example, rename it).signoz-admin
deleteDelete a service account and revoke all its API keys.signoz-admin
attachCreate a relationship with the service account — assign a role to it, or add an API key to it.signoz-admin
detachRemove a relationship from the service account — unassign a role from it, or revoke an API key from it.signoz-admin

API Key

Resource: metaresource | Kind: factor-api-key | Selector: API key ID

RelationDescriptionManaged Role Access
createGenerate a new API key for a service account.signoz-admin
listList all API keys belonging to a service account.signoz-admin
readView API key metadata (name, expiration, last used).signoz-admin
updateModify API key metadata (for example, change the expiration date).signoz-admin
deletePermanently revoke an API key.signoz-admin

Compound Transactions

Some operations require transactions on multiple resources. Both transactions must be satisfied for the operation to succeed.

OperationTransactions Required
Assign a role to a service accountserviceaccount:attach AND role:attach
Unassign a role from a service accountserviceaccount:detach AND role:detach
Create an API key for a service accountfactor-api-key:create AND serviceaccount:attach
Revoke an API key from a service accountfactor-api-key:delete AND serviceaccount:detach

Last updated: June 26, 2026

Edit on GitHub

Was this page helpful?

Your response helps us improve this page.

On this page

Is this page helpful?

Your response helps us improve this page.